SnipBot Detection: A New RomCom Malware Variant Leverages a Custom Code Obfuscation Method and Sophisticated Evasion Techniques
A novel iteration of the RomCom malware family emerges in the cyber threat arena. The new malware, dubbed SnipBot, uses tricky anti-analysis techniques and a custom code obfuscation method to move laterally within the victim’s network and perform data exfiltration.
Detect SnipBot Malware
The notorious RomCom malware has resurfaced with a new SnipBot variant, actively deployed by Tropical Scorpius (aka UNC2596/UAC-0132) to drive Cuba ransomware distribution. This group has also exploited older RomCom versions in targeted attacks against Ukrainian officials.
To stay ahead of the attacks leveraging the enhanced SnipBot backdoor, security professionals might rely on SOC Prime Platform for collective cyber defense. Access the dedicated collection of Sigma rules accompanied by a complete product suite for advanced threat detection, automated threat hunting, and AI-powered detection engineering. Hit the Explore Detections button below and immediately drill down to a collection of detection algorithms addressing SnipBot attacks.
The detection algorithms are aligned with MITRE ATT&CK® framework and are enriched with comprehensive cyber threat context, including relevant CTI links, mitigations, executable binaries, and more actionable metadata. Along with Sigma rules, teams can instantly reach rule translations to the industry-leading SIEM, EDR, and XDR solutions.
Additionally, security professionals aiming to analyze RomCom malware attacks retrospectively might access more relevant detecting by searching Threat Detection Marketplace with the “RomCom” tag.
SnipBot Malware Analysis
In late spring 2022, Cuba ransomware maintainers reemerged, making a bold return to the cyber threat landscape by deploying a novel custom RAT dubbed RomCom. Later, in mid-fall 2022, CERT-UA alerted the global cybersecurity community about an ongoing phishing campaign targeting Ukrainian officials and leveraging RomCom malware.
Unit42 researchers recently uncovered the latest RomCom malware version tracked as SnipBot. The new malicious strain features advanced detection evasion techniques and a unique code obfuscation method, building on those found in RomCom 3.0 and its offshoot, PEAPOD (aka RomCom 4.0).
In early April 2024, defenders detected an unusual DLL module, which was part of SnipBot’s toolset. Further analysis revealed related malware strains dating back to December 2023, with evidence suggesting attempts to move laterally within networks and exfiltrate files. SnipBot allows attackers to execute commands and download additional modules on compromised systems. Based on the new variant capabilities that combine those typical of both RomCom 3.0 and PEAPOD (RomCom 4.0) versions, Unit42 researchers track the latest iteration as RomCom 5.0.
SnipBot operates in multiple stages, starting with an executable downloader, while subsequent payloads are either EXE or DLL files. The infection chain starts with an email containing a link to an executable downloader disguised as a PDF file or an actual PDF. If the victim clicks on the provided link, supposedly to download and install the font package, they launch the SnipBot downloader.
Using Cortex XDR telemetry, Unit42 researchers reconstructed the attacker’s post-infection activity, primarily command-line operations. Through SnipBot’s main module, “single.dll”, adversaries first gathered information about the internal network, including the domain controller, and then attempted to exfiltrate files from the victim’s documents, downloads, and OneDrive folders.
The attackers behind RomCom have targeted a diverse range of victims, including organizations in the IT services, legal, and agriculture sectors. Defenders consider that SnipBot maintainers have shifted their focus from financial gain to cyber-espionage operations, with Ukraine and its allies still remaining the targets.
The continuous evolution of the RomCom malware family and its enhanced capabilities, identified through the analysis of the latest SnipBot iteration, underscore the need for staying constantly vigilant and implementing advanced security measures to safeguard the organization’s defenses and data against increasing cyber threats. Rely on SOC Prime’s Attack Detective to strengthen your SIEM posture, obtain prioritized use cases for high-fidelity alerting, and adopt a packaged threat hunting capability perfectly aligned with your cybersecurity strategy.